Are ransomware groups willing to negotiate with victims on reduced fees? In the case of AvosLocker, the answer seems to be yes.
BleepingComputer recently linked to a joint cybersecurity advisory from the FBI and other government agencies that discussed details. The money quote:
We have also observed alleged AvosLocker representatives make phone calls to the victims to direct them to the payment site to negotiate. Multiple victims have also reported that AvosLocker negotiators have been willing to negotiate reduced ransom payments.
— FBI
AvosLocker is one of the growing number of Ransomware-as-a-Service (RaaS) providers who will find and exploit security holes in an organization’s defenses, and sell that exploit to others for a price. But being open to taking less cryptocurrency (usually in Monero, but with a Bitcoin option for an additional fee) is something not often seen.
AvosLocker likes to go after big guns like the U.S. financial services, critical manufacturing, and government facilities sectors, according to the FBI. Another unusual aspect of their attacks is how it will try to pressure the victim to pay the ransom: during negotiations, it will sometimes launch a distributed denial-of-service (DDoS) attack as well.
DDoS attacks have been common for decades, and are still in regular use—but there haven’t been many publicly reported cases of their use in conjunction with a ransomware attack. In addition, AvosLocker threatens to use data exfiltration in an attack, which involves publishing confidential data stolen in the attack on a blog.
The AvosLocker ransomware group first came to the public’s attention in July 2021, when Palo Alto Networks noticed a dark web discussion forum advertisement for “a new RaaS called AvosLocker.” The advertisement was looking for affiliates, i.e. partners to use its ransomware to launch attacks.
The cybersecurity release says that AvosLocker has targeted victims throughout the world, including (in addition to the U.S.): Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the United Arab Emirates, the United Kingdom, Canada, China, and Taiwan.
The threat of U.S. infrastructure being targeted raises the hackles, considering what happened with the Colonial Pipeline attack in May 2021. The consequences of such hacks can be far-reaching and last for weeks, months or even longer.
Some victimized organizations feel like it’s a good idea to negotiate a lower ransom payment, and that by saving money they’ve dodged at least part of the bullet. But it’s very unclear whether any money is really saved in the end, since it’s well known that the company is likely to be targeted again by the same ransomware actor, even after paying the ransom. It’s better to protect against ransomware, and have proper backup and restore procedures in place to recover quickly. This book is a good starting point for what you need to know.
